What are the default iptables rules mean?

Solution Unverified - Updated 7 Aug 2024

Environment

Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6

Issue

I use "system-config-securitylevel" or "setup" to setup the system firewall on RHEL. Even I don't enable any port, it will generate a set of rules by default. What are these rules mean?

Resolution

You can see the following rules in /etc/sysconfig/iptables:

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Here is the meaning of some rules:

This rule means: accept for all the traffic from loopback device (from localhost to localhost)

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

This rule means: accept all icmp type packets

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

These 2 rules are for IPSec:

-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT

This rule is for mDNS (accept udp port 5353 from multicast address 224.0.0.251):

-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT

These 2 rules are for CUPS printing service (accept tcp and udp port 631):

-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT

This rule means: accept all packets which is related to an existing connection.

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Finally, this rule reject all other packets and reply "icmp-host-prohibited" packet to their source:

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Note (Internal):

The template of this set of rules is hard-coded in write_firewall function in lokkit.c of the source of system-config-securitylevel.

SBR

Networking

Product(s)

Red Hat Enterprise Linux for SAP Solutions

Components

iptables

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.